kernel-2.6.21-1.3145.fc7.x86_64 vpnc-0.4.0-2.fc7 NetworkManager-0.6.5-2.fc7 I upgraded only kernel-2.6.21-1.3145.fc7 and suddenly vpnc stops working. type=USER_AVC msg=audit(1178897966.675:43): user pid=2461 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.NetworkManager.vpnc member=signalIP4Config dest=org.freedesktop.NetworkManager.vpnc spid=6396 tpid=6056 scontext=user_u:system_r:vpnc_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' setenforce 0 allows vpnc to work again.
This needs adjustments in selinux policy.
Can't reproduce this on i386 (kernel 3149, policy 2.6.1-1.fc7) - might be x86_64-only?
Why is /bin/dbus-daemon running as unconfined_t? Did you start this by hand?
Yes, I realized what happened. I was running NetworkManager --no-daemon by hand as is customary when you are trying to debug NetworkManager's behavior. I would expect that NetworkManager should behave identically when run in this manner. Is it possible or reasonable to modify the policy to allow this?
I can make that change. By default I don't though because it will also cause problems the other way. We have turned off most transitions from unconfined_t and only on from initrc_t. People testing code do things like httpd >> ~/mylog which is denied by SELinux since apache is not allowed to write to the homedir. So we have a fine line of when to transition. But if you want the transition I will add it.
Sounds like a bit of a security risk to make that change. So if running stuff by hand causes these problems, what's the recommended way to test NetworkManager without causing these problems? Maybe a SELinux boolean for allowing this transition would help?
I'm afraid if we don't allow this by default, it is effectively the same a difficult to find hidden boolean. What is a concrete example where allowing this would allow a compromise to happen?
I have no problem making the change for NetworkManager. But this is more of a problem for apps that are commonly run by the user and we don't want to confine when run by the user. The problem from an qa point of view, the administrator can force the transition in permissive mode and using runcon. You can also attach gdb to the running process.
NetworkManager is only runnable by root. Is this really a danger? It is very non-obvious that NetworkManager --no-daemon would require a forced transition to permissive or boolean in order to work, especially because it fails only in a hidden non-default codepath.
Fixed in selinux-policy-2.6.4-4.fc7
NetworkManager-0.7.0-0.3.svn2914.fc8 NetworkManager-vpnc-0.7.0-0.2.svn2914.fc8 selinux-policy-3.0.8-17.fc8 This bug is back in rawhide, probably due to the re-architecting of NetworkManager. /var/log/audit/audit.log: type=USER_AVC msg=audit(1191557195.027:26): user pid=4258 uid=81 auid=500 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.NetworkManager.VPN.Plugin member=SetIp4Config dest=org.freedesktop.NetworkManager.vpnc spid=4508 tpid=4474 scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' NetworkManager debug message: ** (process:4574): WARNING **: <WARN> send_ip4_config(): Could not send failure information: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had interface "org.freedesktop.NetworkManager.VPN.Plugin" member "SetIp4Config" error name "(unset)" destination "org.freedesktop.NetworkManager.vpnc") module vpncmanual 1.0; require { type vpnc_t; type unconfined_t; class dbus send_msg; } #============= vpnc_t ============== allow vpnc_t unconfined_t:dbus send_msg; This .te file allows it to work for me. Is this correct? What happened to the previous solution?
Another AVC... type=USER_AVC msg=audit(1191558535.881:38): user pid=4258 uid=81 auid=500 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager.VPN.Plugin member=Ip4Config dest=org.freedesktop.DBus spid=4984 tpid=5301 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1191558535.881:39): user pid=4258 uid=81 auid=500 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager.VPN.Plugin member=StateChanged dest=org.freedesktop.DBus spid=4984 tpid=5301 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' NetworkManager debug message: ** (process:5301): WARNING **: <WARN> send_ip4_config(): Could not send failure information: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. module vpncmanual2 1.0; require { type unconfined_t; type vpnc_t; class dbus send_msg; } #============= unconfined_t ============== allow unconfined_t vpnc_t:dbus send_msg;
Fixed in selinux-policy-3.0.8-18